It looks generally good. Thanks William and John for creating it. I spotted a few nits.
NS1: MUST is not a recommendation ================================ In 8.5, it says: (which is a recommended in Section 7.1.1 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-7.1.1>) However, in 7.1.1, it is a MUST, i.e., required instead of recommended. So, "recommended" in the above sentence needs to be changed to "required". NS2: Dynamically registered client can be treated as a confidential client ======================================================= In 8.9 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.9>. it says: Authorization servers that still require a shared secret for native app clients MUST treat the client as a public client As it is a MUST, we have to qualify it a little more as it is ok to treat it as a confidential client if the client does dynamically register the copy and obtain shared secret that is only shared between the copy of the app and the server. Suggests: Authorization servers that still require a statically included shared secret for native app clients MUST treat the client as a public client NS3: Sever Mix-up ====================== 8.11 <https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07#section-8.11>. talks about mix-up mitigation but misses one of the points. Specifically: * the app MUST store the redirect uri in the request with the "session" and MUST verify that it exactly matches with the URI of the endpoint that it received the response. Cheers, Nat Sakimura On Wed, Mar 1, 2017 at 5:51 AM Brian Campbell <bcampb...@pingidentity.com> wrote: > -07 LGTM > > On Feb 20, 2017 2:53 AM, "Hannes Tschofenig" <hannes.tschofe...@gmx.net> > wrote: > > Hi all, > > after the working group last call of the "OAuth 2.0 for Native Apps" > document July last year (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16534.html) I > had, as a shepherd, collected IPR confirmations (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16672.html) and > produced a shepherd writeup (see > https://www.ietf.org/mail-archive/web/oauth/current/msg16702.html). > > Since version -03 and the current version -07 a fair amount of text has > been changed, see > > https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-03.txt&url2=https://tools.ietf.org/id/draft-ietf-oauth-native-apps-07.txt > > Although most of those changes are editorial and normative changes have > been discussed on the mailing list I believe it is fair to let the group > take a brief look at the final version. > > For this reason we will issue a short, one week, working group last call > before pushing the document to the IESG. > > So, please provide your comments to the list no later than February 27th. > > Here is the link to the document again: > https://tools.ietf.org/html/draft-ietf-oauth-native-apps-07 > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura Chairman of the Board, OpenID Foundation
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
